As we say goodbye to 2020 and spend time reflecting on the industry changes, reassess our workflows and procedures in order to identify where 2021 will bring us, it’s a brilliant time to also address our security practices and ways we can bring improvement to those, as well.

After considering the top challenges I saw with development teams and security teams within development environments, I came up with a list of ways to focus our security improvements for 2021.

1. Proportionate security by design

You have likely heard the term ‘by design’ many times when it comes to either privacy or security, and whilst it’s a favorite phrase of mine to say, I often find I need to elaborate on what that actually means.

A highly simplified list of programme phases.

For example, I created a highly simplified list of phases above. This is in no way perfect or even proportionate, but what it does is highlight the high-level phases of a program.

From the left, we see the ‘conception’ where the idea is generated and hopefully validated along with the initial design/approach (potentially some pseudo-code and even flow diagrams). From a security and privacy perspective, it is expected this phase will also include identification of potential controls to be put in place in order to mitigate some risks, reduce others, and generate ideas on how to validate effectiveness. 

Over time, I have noticed that one vital piece of building a resilient solution is often misunderstood. The methodology of threat mapping and understanding how to put that into context of your solution can often be either forgotten, ignored, or misrepresented. Without accurate knowledge on the risks your solution is going to face, it is highly likely these will be missed, ignored, and ultimately exploited.

2. Clear, reliable documentation

One challenge I have seen over and (Read more...)